LFX Security FAQs

What is LFX Security?

LFX Security is a comprehensive service designed to assist open-source developers in identifying and addressing security vulnerabilities in their code, ultimately creating more secure software. This service also detects sensitive information, such as code secrets, and non-inclusive language within codebases.

Does LFX Security automatically scan my project’s code?

If your project is in the Linux Foundation database, LFX Security will scan your code weekly. Detected vulnerabilities are added to your project dashboards and classified as critical, high, medium, or low risk using databases like CWE, CVE, and GHSA. You'll get an inventory of dependencies and licenses, including their details. LFX Security also scans for code secrets and non-inclusive language.

What do Critical/High/Medium/Low Vulnerabilities mean?

To understand more about this, please refer to NVD.

Who can see LFX Security reports?

LFX Security fetches the permissions from GitHub and maps those permissions into the following categories:

  • Owner/Admin -> GitHub admin permissions

  • Maintainer -> GitHub maintains permissions

  • Contributor -> GitHub triage, push, pull permissions.

These users are given elevated Contributor/Maintainer permission. They can dismiss irrelevant vulnerability issues, send notifications, and mark issues as false positives.

What languages and programming ecosystems are supported for vulnerability scanning?

Dependency and vulnerability scanning is currently supported for JavaScript, Node.js (npm), Java, Scala, Ruby, Python, Golang, and PHP.

Why is there a mismatch between "Vulnerabilities Fixed" and "Top 10 projects most active in fixing vulnerabilities"?

The Security Leaderboard displays two key metrics: "Vulnerabilities Fixed" and "Top 10 projects most active in fixing vulnerabilities." While these counts should ideally be equal, they often differ due to a specific reason.

Key Points:

"Vulnerabilities Fixed" count: Represents the total number of unique (distinct) vulnerabilities found across all scanned projects.

"Top 10 projects most active in fixing vulnerabilities" count: Shows the total number of unique vulnerabilities fixed in the top 10 projects, which may include repeated vulnerabilities from other projects.

Why the Mismatch?

The discrepancy arises from the repetition of vulnerabilities in multiple projects. When these repeated vulnerabilities are counted, the aggregate total is higher than the distinct "Vulnerabilities Fixed" count.

How are licenses identified?

LFX Security uses Snyk to scan a project’s Git-based repository and identify dependencies’ licenses against the SPDX license list. License identification varies by ecosystem, but generally, it is done by reviewing the stated license on the package, retrieving metadata from the registry, and license information in manifest files.

What partners support the LFX Security service?

For LFX Security, we are partnering with a few solutions providers where it makes sense. For example, projects can choose to allocate funds raised through the LFX Funding service to administer bug bounty programs through a partnership with HackerOne. Snyk provides daily vulnerability scanning for all projects on LFX (Funding and Mentorship) to identify vulnerabilities and dependencies — and to help manage Internet Protocol (IP) risk with license verification.

How does LFX Security help a project manage its intellectual property obligations?

LFX Security helps projects manage their intellectual property (IP) obligations in two key ways:

Dependency License Scans

  1. Automatic dependency scans: All projects in LFX Security receive automatic dependency license scans, providing a comprehensive view of direct and indirect third-party dependencies.

  2. License association: Snyk associates licenses with libraries and packages, giving maintainers a clear understanding of the third-party licenses their project relies on.

  3. Compliance and decision-making: This reporting enables projects to:

    • Determine whether to avoid dependencies with incompatible licenses

    • Identify compliance obligations for used dependencies

    • Reproduce necessary license notices when distributing dependencies

EasyCLA (Contributor License Agreement) Service

The Linux Foundation's EasyCLA service addresses the challenges of ensuring contributors assign IP rights to open-source projects. Key features include:

  1. Corporate authority handling: EasyCLA requires corporate agreements to be signed by authorized signatories, enabling companies to control contributor access.

  2. Fine-grained authorization: Companies can specify individual contributors or authorize all employees across a domain name.

  3. Workflow facilitation: EasyCLA ensures code contributions meet requirements, streamlining workflows and ensuring contributor satisfaction.

Availability and Future Plans

The EasyCLA service is initially available to Linux Foundation-hosted projects, with plans to expand to a broader set of projects, including those on LFX Security.

When is the license information displayed as "Unknown"?

The license information is displayed as "Unknown" when the Snyk API cannot find license information and returns an "unknown" value to LFX Security.

When is the license information displayed as empty without any license information?

When the License field is blank, the license information will be displayed as empty. The Snyk API will not be able to retrieve any license details, resulting in the absence of license information.

PreviousOverviewNextOnboarding your Project

Last updated

Copyright © 2022 The Linux Foundation®. All rights reserved. The Linux Foundation has registered trademarks and uses trademarks.